Want to hack a hole-in-the-wall cash machine for free dosh? It's as easy as Windows XP

Bank ATM pen testing reveals alarming results

ATM machines are vulnerable to an array of basic attack techniques that would allow hackers to lift thousands in cash.

This according to researchers at Positive Technologies, who studied more than two dozen different models of ATMs and found (PDF) nearly all would be vulnerable to network or local access attacks that would allow raiders to pillage the cash dispensers.

The study, out today, pitted Positive researchers against 26 machines from various manufacturers and service providers. Among the more noteworthy results:

15 were found to be running Windows XP.

22 were vulnerable to a "network spoofing" attack where an attacker connects locally to the machine's LAN port and conduct fraudulent transactions. Such an attack takes around 15 minutes to complete.

18 were vulnerable to 'black box' attacks where an attacker physically connects a device to the machine and tricks it into spitting out cash. Positive notes these attacks can be carried out in about ten minutes with aftermarket compute boards (such as a Raspberry Pi).

20 could be forced to exit out of kiosk mode via a USB or PS/2 connection. From there, an attacker could access the underlying OS of the machine and execute additional commands.

24 had no data encryption in place on the hard drive, allowing an attacker who had access to the drive (see above) to pull any stored data and configuration info from the machine.

In general, the research found that, for the most part, the protections used by ATMs to prevent theft and tampering were more or less security theater, and anyone who really wanted to get into a machine could often do so in under an hour.

"More often than not, security mechanisms are a mere nuisance for attackers: our testers found ways to bypass protection in almost every case," the researchers said.

"Since banks tend to use the same configuration on large numbers of ATMs, a successful attack on a single ATM can be easily replicated at greater scale."

One of the top recommendations the report makes to banks is to harden up the physical security of the machines themselves. By physically securing the cabinets to lock away access to the inputs and compute hardware of the machines, many of the techniques used in the study could be thwarted.

Additionally, the researchers recommend banks keep on top of logging and monitoring security events on their networks.

While many of these physical attacks are largely theoretical – banks take a dim view of customers hanging out at ATMs for longer than a few minutes – the report does highlight the shameful lack of security for ATMs, particularly on the software side.

At this year's DEF CON hacking conference one researcher explained how he'd approached banks about flaws in their ATMs, only to be told such things weren't possible. It was only when he told them he was going public with the research that the flaws were fixed. ®